wip: migrate client modules

2026-04-15 05:39:11 +02:00 · 2026-04-02 19:25:58 +02:00 · 2026-04-02 19:25:58 +02:00 · 7ce27d5d2f
commit 7ce27d5d2f
parent f6d2ff1544
245 changed files with 20254 additions and 188 deletions
--- a/modules-clone/nixos/server/mailserver.nix
+++ b/modules-clone/nixos/server/mailserver.nix
@ -0,0 +1,166 @@
+{ self, lib, config, globals, dns, confLib, ... }:
+let
+  inherit (config.swarselsystems) sopsFile;
+  inherit (confLib.gen { name = "mailserver"; dir = "/var/lib/dovecot"; user = "virtualMail"; group = "virtualMail"; port = 443; }) serviceName serviceDir servicePort serviceUser serviceGroup serviceAddress serviceDomain proxyAddress4 proxyAddress6;
+  inherit (confLib.static) isHome webProxy homeWebProxy dnsServer homeServiceAddress nginxAccessRules;
+  inherit (config.repo.secrets.local.mailserver) user1 alias1_1 alias1_2 alias1_3 alias1_4 user2 alias2_1 alias2_2 alias2_3 user3;
+  baseDomain = globals.domains.main;
+
+  roundcubeDomain = config.repo.secrets.common.services.domains.roundcube;
+  endpointAddress4 = globals.hosts.${config.node.name}.wanAddress4 or null;
+  endpointAddress6 = globals.hosts.${config.node.name}.wanAddress6 or null;
+in
+{
+  options = {
+    swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
+  };
+  config = lib.mkIf config.swarselmodules.server.${serviceName} {
+
+    users = {
+      persistentIds = {
+        knot-resolver = confLib.mkIds 963;
+        postfix-tlspol = confLib.mkIds 962;
+        roundcube = confLib.mkIds 961;
+        redis-rspamd = confLib.mkIds 960;
+      };
+    };
+
+    globals.services = {
+      ${serviceName} = {
+        domain = serviceDomain;
+        proxyAddress4 = endpointAddress4;
+        proxyAddress6 = endpointAddress6;
+      };
+      roundcube = {
+        domain = roundcubeDomain;
+        inherit proxyAddress4 proxyAddress6 isHome serviceAddress;
+        homeServiceAddress = lib.mkIf isHome homeServiceAddress;
+      };
+    };
+
+    topology.self.services = lib.listToAttrs (map
+      (service:
+        lib.nameValuePair "${service}" {
+          name = lib.swarselsystems.toCapitalized service;
+          info = lib.mkIf (service == "postfix" || service == "roundcube") (if service == "postfix" then "https://${serviceDomain}" else "https://${roundcubeDomain}");
+          icon = "${self}/files/topology-images/${service}.png";
+        }
+      )
+      [ "postfix" "dovecot" "rspamd" "clamav" "roundcube" ]);
+
+    sops.secrets = {
+      user1-hashed-pw = { inherit sopsFile; owner = serviceUser; };
+      user2-hashed-pw = { inherit sopsFile; owner = serviceUser; };
+      user3-hashed-pw = { inherit sopsFile; owner = serviceUser; };
+    };
+
+    environment.persistence."/persist".directories = lib.mkIf config.swarselsystems.isImpermanence [
+      { directory = "/var/vmail"; user = serviceUser; group = serviceGroup; mode = "0770"; }
+      { directory = "/var/sieve"; user = serviceUser; group = serviceGroup; mode = "0770"; }
+      { directory = "/var/dkim"; user = "rspamd"; group = "rspamd"; mode = "0700"; }
+      { directory = serviceDir; user = serviceUser; group = serviceGroup; mode = "0700"; }
+      # { directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; mode = "0750"; }
+      { directory = "/var/lib/rspamd"; user = "rspamd"; group = "rspamd"; mode = "0700"; }
+      { directory = "/var/lib/roundcube"; user = "roundcube"; group = "roundcube"; mode = "0700"; }
+      { directory = "/var/lib/redis-rspamd"; user = "redis-rspamd"; group = "redis-rspamd"; mode = "0700"; }
+      { directory = "/var/lib/postfix"; user = "root"; group = "root"; mode = "0755"; }
+      { directory = "/var/lib/knot-resolver"; user = "knot-resolver"; group = "knot-resolver"; mode = "0770"; }
+    ];
+
+    mailserver = {
+      enable = true;
+      stateVersion = 3;
+      fqdn = serviceDomain;
+      domains = [ baseDomain ];
+      indexDir = "${serviceDir}/indices";
+      openFirewall = true;
+      # certificateScheme = "acme";
+      dmarcReporting.enable = true;
+      enableSubmission = true;
+      enableSubmissionSsl = true;
+      enableImapSsl = true;
+      x509.useACMEHost = globals.domains.main;
+
+      loginAccounts = {
+        "${user1}@${baseDomain}" = {
+          hashedPasswordFile = config.sops.secrets.user1-hashed-pw.path;
+          aliases = [
+            "${alias1_1}@${baseDomain}"
+            "${alias1_2}@${baseDomain}"
+            "${alias1_3}@${baseDomain}"
+            "${alias1_4}@${baseDomain}"
+          ];
+        };
+        "${user2}@${baseDomain}" = {
+          hashedPasswordFile = config.sops.secrets.user2-hashed-pw.path;
+          aliases = [
+            "${alias2_1}@${baseDomain}"
+            "${alias2_2}@${baseDomain}"
+            "${alias2_3}@${baseDomain}"
+          ];
+          sendOnly = true;
+        };
+        "${user3}@${baseDomain}" = {
+          hashedPasswordFile = config.sops.secrets.user3-hashed-pw.path;
+          aliases = [
+            "@${baseDomain}"
+          ];
+          catchAll = [
+            baseDomain
+          ];
+        };
+      };
+    };
+
+    services.roundcube = {
+      enable = true;
+      # this is the url of the vhost, not necessarily the same as the fqdn of
+      # the mailserver
+      hostName = roundcubeDomain;
+      extraConfig = ''
+        $config['imap_host'] = "ssl://${config.mailserver.fqdn}";
+        $config['smtp_host'] = "ssl://${config.mailserver.fqdn}";
+        $config['smtp_user'] = "%u";
+        $config['smtp_pass'] = "%p";
+      '';
+      configureNginx = true;
+    };
+
+    # the rest of the ports are managed by snm
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    services.nginx = {
+      virtualHosts = {
+        "${roundcubeDomain}" = {
+          useACMEHost = globals.domains.main;
+          enableACME = false;
+          forceSSL = true;
+          acmeRoot = null;
+          locations = {
+            "/".recommendedSecurityHeaders = false;
+            "~ ^/(SQL|bin|config|logs|temp|vendor)/".recommendedSecurityHeaders = false;
+            "~ ^/(CHANGELOG.md|INSTALL|LICENSE|README.md|SECURITY.md|UPGRADING|composer.json|composer.lock)".recommendedSecurityHeaders = false;
+            "~* \\.php(/|$)".recommendedSecurityHeaders = false;
+          };
+        };
+      };
+    };
+
+    nodes =
+      let
+        extraConfigLoc = ''
+          proxy_ssl_server_name on;
+          proxy_ssl_name ${roundcubeDomain};
+        '';
+      in
+      {
+        ${dnsServer}.swarselsystems.server.dns.${globals.services.${serviceName}.baseDomain}.subdomainRecords = {
+          "${globals.services.${serviceName}.subDomain}" = dns.lib.combinators.host endpointAddress4 endpointAddress6;
+          "${globals.services.roundcube.subDomain}" = dns.lib.combinators.host proxyAddress4 proxyAddress6;
+        };
+        ${webProxy}.services.nginx = confLib.genNginx { inherit serviceAddress servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; protocol = "https"; maxBody = 0; };
+        ${homeWebProxy}.services.nginx = lib.mkIf isHome (confLib.genNginx { inherit servicePort serviceName extraConfigLoc; serviceDomain = roundcubeDomain; protocol = "https"; maxBody = 0; extraConfig = nginxAccessRules; serviceAddress = homeServiceAddress; });
+      };
+
+  };
+}